A very common example of XSS occurs when an application employs a dynamic page to display error messages to users. Typically, the page takes a parameter containing the message's text and simply renders this text back to the user within its response. This type of mechanism is convenient for developers, because it allows them to invoke a customized error page from anywhere in the application without needing to hard-code individual messages within the error page itself.
For example, consider the following URL, which returns the error message shown in Figure 12-1:
Looking at the HTML source for the returned page, we can see that the application simply copies the value of the message parameter in the URL and inserts it into the error page template at the appropriate place:
<p>Sorry, an error occurred.</p>
This behavior of taking user-supplied input and inserting it into the HTML of the server's response is one of the signatures of reflected XSS vulnerabilities, and if no filtering or sanitization is being performed, the application is certainly vulnerable. Let's see how.